I think that setSecureCookie should be set to
true as a default, not an option. From my point of view, serving Matomo over https should be expected - not http. An therefor it should make sense to have setSecureCookie=true as default, and if it should not be set to true, that should be the option, that makes setting up tracking much simpler for the end user, from my perspective.
So this should be the override:
Thanks for your suggestion. Guess might make sense to expect secure cookies by default.
Might be something we could evaluate for Matomo 4. It kind of breaks BC, as the tracking code needs to be adjusted for HTTP sites
I think this might be even worth breaking BC for as the alternative is having everyone using HTTPS (which should be far more people than those that don't) edit their tracking code.
We had this topic few days ago in slack. Problem is when your site is not fully https, and eg some pages are http and some are https then you end up with different cookies and different visitor IDs etc.
Many people are still using http, and for example have a login on https etc. Seeing this sometimes while investigating issues. Of course they could then just remove the line from the suggested tracking code. Would need to make sure the default tracking code we suggest has a comment next to it explaining things and explains when to remove it etc.
serving Matomo over https should be expected -
In this case it's the user website that matters as we are setting a first party cookie unless I'm not seeing it?
Assuming we make secure cookies the default setting, we could extend the tracking code generator with an additional option
My site is served https only, which is checked by default. And when you uncheck it the
_paq.push(['setSecureCookie', false]); is added?